Cybersecurity Maturity Model Certification (CMMC) Basics for DoD Contractors
The model will provide a rating system evaluating the contractors' ability to protect sensitive data on a 1-5 scale and all DoD contractors will need to be certified.
Cybersecurity Maturity Model Certification Basics
A working group of the government, universities, and private companies are developing the next evolution of cybersecurity standard for DoD contractors. According to the CMMC FAQ‘s, “The intent of the CMMC is to combine various cybersecurity control standards such as NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032, AIA NAS9933 and others into one unified standard for cybersecurity. In addition to cybersecurity control standards, the CMMC will also measure the maturity of a company’s institutionalization of cybersecurity practices and processes.”
What’s The Scoop?
Here are some things to know:
- The model will provide a rating system evaluating the contractors’ ability to protect sensitive data on a 1-5 scale;
- All DoD contractors will need to be certified, regardless of whether or not they handle CUI;
- Flow downs will apply to all subcontractors, teaming agreements and joint ventures;
- Not everyone will need the highest certification rating;
- The level of required certification will be based on the information handled in the contract;
- Third-party organizations, such as our friends at Kreative Corporation will act as auditors and certify contractors; and
- Both the DoD and the public will have access to a company’s certification level, but not the details of the evaluation.
What Does All This Mean?
The timeline for the rollout is aggressive (preview in January, deployment by September 2020) but there is significant energy behind the initiative. Until then, more confusion will reign as everyone in the supply chain tries to guess what investment is required.
“This will ultimately be good for the industry,” reported Bill Wootton, C3’s President. “A single set of standards was hurting the small contractors by forcing investment that wasn’t proportionate to the work they are doing. This will ultimately help some contractors, especially the professional services firms, because they really handle very little CUI data.”
On the other end of the spectrum, the previews of the recently published NIST SP 800-171B provides an early view of what the implementations for higher CMMC levels might require, so it would be a good idea for companies that anticipate these higher levels to begin planning for future implementation.
Who Will Do The Audits?
The audits themselves will be conducted by approved third-party auditors who will determine what level your current implementation meets. By having a set all-encompassing framework for cybersecurity implementations, the process of meeting the required level of compliance will be much more consistent, allowing the company to determine what level they need to meet and how to meet it prior to undergoing these audits.
While the initial shift will bring a lot of change and chaos to companies that have not yet fully committed to developing and maintaining a properly secured environment, in the long run, it will bring standardization to the industry by ensuring all contractors are compliant with their security requirements,” reports Soda Sultana, President and CEO at Kreative Corporation. “At this point in time, it is unclear who will be ultimately responsible for conducting the external audits against the new standard. However, as we progress over the next several weeks and months, we will learn more around compliance enforcement.”
What About ITAR?
It’s important to note, ITAR is a separate set of rules and regulations. ITAR is administered by the State Department, and while export controlled technical data is considered CUI, the US data residency and NOFORN rules are independent of these changes. Our guess is that export data will translate to an automatic certification level requirement in the new CMMC model. Either way, ITAR rules still apply.
So, What’s A Contractor To Do Now?
Don’t wait. C3’s Bill Wootton adds, “There will be a rush of companies (60,000 plus) that the new requirement will apply to. Even if the timeline misses by a year, that’s a lot of organizations trying to get through the pipeline. The bottlenecks won’t just be the auditors – IT professionals (both internal and external) will struggle to handle the workload to meet the targeted level.”
If you don’t practice good cyber hygiene (admit it, you know who you are), start making the investments now. The controls are already in place; we’re just waiting to understand how they all fit together.
Where Do You Start?
Start with looking at FAR 52.204-21. If you are doing work with the government today, you have already committed to meeting this requirement. Start with the basics like multi-factor authentication, mobile device management, and active monitoring of your networks.
You should also start analyzing information flows to understand what systems, processes, and users will be impacted by the regulations. For example, no one cares when the company picnic is, but you should understand who and what has access to your contracts and what systems they reside.
“Most companies can start to understand their compliance levels by proactively identifying security boundaries and the most critical systems that control your organization’s data,” reports Soda Sultana. “It is also prudent for organizations to begin standardizing its processes to enable consistent and repeatable practices – this will introduce a culture shift and ultimately foster good security discipline which will contribute to the continual improvement of your security posture.”
You know the business that you are pursuing, and you should have a good understanding of the common types of information that might be in your possession as a result. What information resides on your network? Do you know where that information resides on your network? This answer differs greatly for a radar component manufacturer to an engineering firm conducting data analysis, to a staff augmentation shop that has almost no internal infrastructure. However, these factors drive how the requirements apply to your environment.
C3 Integrated Solutions is an IT Services provider that is dedicated to supporting defense contractors of all sizes meet their compliance requirements cost effectively. Centered around Office 365 GCC High, our cloud solutions combined with managed security services, give you the tools to protect your systems.
To learn more about how we can help you meet your requirements, please contact us.